google-site-verification: googlee9447d3b266da5de.html NCSC (National Cyber Security Centre) - Weekly Threat Report @ncsc #cybersecurity

NCSC (National Cyber Security Centre) - Weekly Threat Report @ncsc #cybersecurity

Friday, August 23, 2019

Weekly Threat Report - 23rd August 2019

 

 

Bluetooth vulnerability spotted and patched

 

A vulnerability in Bluetooth’s wireless standard has been discovered by researchers which could allow attackers to intercept keystrokes, address books, and other sensitive data.

 

The vulnerability, named ‘Key Negotiation of Bluetooth’, potentially allows attackers to affect the length of encryption keys, even reducing them down to a single digit, making fraudulent access to connected devices much easier.

 

The report notes that ‘the attack is standard-compliant because all Bluetooth BR/EDR versions require to support encryption keys with entropy between 1 and 16 bytes and do not secure the key negotiation protocol. As a result, the attacker completely breaks Bluetooth BR/EDR security without being detected’.

 

Although breaking the BR/EDR protocol is dependent on both devices having the vulnerability, if successfully executed it would allow hackers an opportunity to intercept, access and alter exchanges between devices.

 

In response to this flaw, Bluetooth have released a statement and security notice suggesting there had been ‘no evidence that the vulnerability has been exploited maliciously’. It also outlined an update to the Bluetooth Core Specification which would promote a minimum encryption key length of 7 octets for BR/EDR connections.

 

The NCSC would always advise patching with the latest updates, but there are also some useful links from companies that have released updates mitigating against this vulnerability.

  • Microsoft: Windows

  • Apple: macOS, iOS and watchOS

  • Google: Android

  • Cisco: IP phones and Webex

  • Blackberry powered by Android phones

Using Python 2? It’s time to move on

 

Developers using Python 2 should begin to plan ahead and switch to Python 3 with the former losing its support from 1st January 2020.

 

As we step into 2020 Python 2 will be left firmly in the past with no more security updates and bug fixes. Continuing to use it would only heighten the risk of vulnerabilities and the NCSC’s advice is to port your code to Python 3 as soon as possible.

If you want more information, advice and to dive into the detail a little bit more then the NCSC’s Rich M has this week blogged about this very subject.

 

In general, the NCSC will always stress the importance of updating and, whilst patching alone won’t magically make you secure, failing to do so is the best way to undermine an otherwise secure design.

It is also well worth reading the NCSC’s risk management guidance, and the secure development and deployment guidance.

 

 

National Cyber Security Centre Weekly Threat Reports

 
ASKET Cyber Security Resources
 

 

 

 

 

Please reload

ASKET Ltd The Worlds Trusted Broker
ASKET Social Media
  • Grey LinkedIn Icon
  • Grey Twitter Icon
  • Grey Facebook Icon

SOCIAL MEDIA

ASKET Contact

CONTACT

UK Tel: +44 7827 012195

UAE Tel: +971 5283 33164

Email: broker@asket.co.uk

ASKET Address

ADDRESS

ASKET Ltd

86-90 Paul Street

London

EC2A 4NE

Company NO: 08763474